I have a user with sysadm rights, and can login as root by using sudo su -, which is nopasswd set in etc/sudoers.
Now, I am trying to execute a sudo command from php, running from WAMPserver on windows.
I've tried using ssh2_exec(), exec() of phpseclib, but the commands return no output.
My ssh2 connect function uses the same user with sysadm rights.
How do I achieve this?
Related
Is it possible to use sudo access while using PHPseclib library?
I'm trying to edit a file which user doesn't have permission to without sudo.
I have a Python3 Pyro4 server client app that works great when run from command line.
server.py
import Pyro4
#Pyro4.expose
class JokeGen(object):
def __init__(self):
self.jokevar = "Joke"
def joke(self, name):
return "Sorry "+name+", I don't know any jokes."
def main():
Pyro4.Daemon.serveSimple(
{
JokeGen: "example.jokegen"
},
ns = True)
if __name__=="__main__":
main()
client.py
#!/usr/bin/env python3
import Pyro4
import sys
person_to_joke = sys.argv[1]
joke_control = Pyro4.Proxy("PYRONAME:example.jokegen")
print (joke_control.joke(person_to_joke))
The problem is I need to run the client from a web app using PHP.
I have created a joke.php
<?php
$command = escapeshellcmd('/full/path/to/client.py SquirrelMaster');
$output = shell_exec($command);
echo $output;
?>
While this code does actually work I did some non-standard hacking to make it work. I took a copy of my /home/user/.local (where the pyro4 modules have been installed for user) and placed it in /var/www/ and gave ownership to www-data.
sudo chown -R www-data.www-data /var/www/.local
It seems like there must be a better way to do this and I'm pretty sure there will be potentially issues in the future if I leave things this way. The issues seems to be that the Pyro4 modules need to be available for the www-data user. So my question is, What is the proper way to make Pyro4 modules available to the www-data user on Ubuntu linux running apache2?
EDIT - ADDITION
I also tried doing the following:
sudo mkdir /var/www/.local
sudo mkdir /var/www/.cache
sudo chown www-data.www-data /var/www/.local
sudo chown www-data.www-data /var/www/.cache
Then run the command:
sudo -H -u www-data pip3 install pyro4 --user www-data
But this results the error "Could not find a version that satisfies the requirement www-data (from versions: )
No matching distribution found for www-data"
Looks a bit like this question https://superuser.com/questions/646062/granting-write-permissions-to-www-data-group
I wanted to suggest using the PYTHONPATH environment variable to point to a library install location readable by the www-data user where you'd copy the python modules it needs to acces, but I think this is considered bad form nowadays.
Probably best is to create a Python Virtualenv that is accessible for the www-data user and install all required modules into that, using the pip command from that virtualenv. You may have to use some sudo/chown dance to get this right still.
Another way perhaps is to not bother with calling a python subprocess at all, but use Pyro's HTTP gateway. That way you can simply do a HTTP request from PHP to a locally running Pyro http gateway process, which will translate it into a proper Pyro call. I don't know PHP but it seems to me that it should be easy to make a custom http request to a server running on some localhost port. This may be faster as well because you're not starting up python processes for every call.
(edit): another succesfully working solution seemed to be the following, where sudo is used to invoke pip under the appropriate user, letting it install the library into www-data's .local library folder:
create /var/www/.local and /var/www/.cache folders, giving www-data permissons to these folders only (and not /var/www to avoid security issues)
invoke sudo -H -u www-data pip3 install pyro4
You may still need to add --user to the pip command if it's an older version, because I think that only recent pip versions install to the user's lib folder by default instead of to the global system python's lib folder.
I thought I throw together a little dirty script on our server (Ubuntu 16.04) that gives me some plain text output from Python.
I want to call the script like this from PHP (I know there should be some escaping done, but it's just a test currently):
<?php
$command = '/usr/local/bin/script.py';
$output = shell_exec($command);
echo $output;
?>
This is script.py owned by www-data mode 774
#!/usr/bin/python
import CoolProp.CoolProp as CP
import argparse
print('Hallo Welt')
If I comment out the CoolProp import it works. But somehow the package cannot be reached by www-dataand so the script returns nothing.
As you see I want to use the Package CoolProp.
So I tried installing it with pip install CoolProp=> That works for my local user. But now when called from user www-data
After I tried to install it with a target --target=/usr/local/lib/site-packages/ but that did not help.
I tried to change the ACL on the complete site-packages/ to rwx
for www-data but that does not work as well.
In the end: What is the simplest way to pip install a package that can be used by all users including www-data?
I recommend that you try the solution that xotihcan posted first as that is the easy way to make most python modules available to all users including www-data. However it doesn't work for every python module. If that doesn't work for you or you just want to install modules for the www-data user only then use the following commands:
sudo mkdir /var/www/.local
sudo mkdir /var/www/.cache
sudo chown www-data.www-data /var/www/.local
sudo chown www-data.www-data /var/www/.cache
sudo -H -u www-data pip install CoolProp
I had this same issue trying to make the Python pyro4 module available for the www-data use. There is another way to do it but it involves some even dirtier hackery. For more details check out my question/answer # How do I properly call a Python Pyro client using PHP and Apache web server?
Run PIP with root user.
That should fix the problem.
I am trying to deploy a Symfony2 PHP project on Ubuntu 15.10 with MagePHP, but it always asks me for the SSH users password when executing:
sudo php vendor/andres-montanez/magallanes/bin/mage deploy to:staging
When checking the log I can see it stops at this command:
ssh -p 22 -q -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no ssh-user#my-domain.com "sh -c \"mkdir -p /customers/489176_10999/websites/my_company/symfony/staging/releases/20160902094526\""
Executing this command by itself works fine (so the server accepts the ssh key), but from within the context of the deployment script it doesn't.
I am quite puzzled by this, since both commands are run from the same directory. Any ideas how I can make this work?
try running the deploy with sudo.
Regards!
Since the file has been located under /var/www the ssh-agent had no access to the key files, since they were stored under the user directory. Moving the entire project inside the user directory fixed this issue.
I have meshlab installed in my machine running Ubuntu 14.04 OS. I can access it from command line using meshlabserver command. But problem arises whenever I try to call it from a php script using the command
<?php
system('meshlabserver 2>&1');
?>
It shows the error meshlabserver: cannot connect to X server. After going through a few websites I did the following things:
I moved the meshlabserver executable from /usr/bin to /usr/local/bin and gave it executable permissions using
sudo chmod a+x meshlabserver
But when I ran the whoami command from my php script (calling the meshlabserver), it showed www-data. So I gave executable permissions for all users to the meshlabserver using
sudo chmod 777 /usr/local/bin/meshlabserver
But still it is showing the same meshlabserver: cannot connect to X server error. meshlabserver comamnd is working fine when ran from the command line.
I really need to call meshlab from the php script for my website. Thus any help would be highly appreciated. Thanks in advance.
It seems the php script can't access your display variable. If you logged in via ssh remember to tunnel your X-server via 'ssh -X ...' Your second option is to create a virtual frame buffer using Xvfb and redirect the display variable to it:
export DISPLAY=:100.0
Xvfb :100 &
Note the ampersand for the second command as Xvfb needs to be running in the background.
a combo of prior answers works for me:
ssh -X, as well as export DISPLAY=:0.0 (on remote)